Date of Original Airing: Jan 04, 2024
Introduction
Late last year I was asked to be a part of a podcast segment for work. Specifically I was asked about internal training and mentorship as that is one of my yearly highlights when we bring on interns and new forensics consultants. It is this podcast that inspired me to write the A Philosophical View on the Responsibilities of Leadership post.
As I do with other events that I take part at, I wanted to expand further on my comments as I had to be very concise that day.
What role does internal training play in preparing cybersecurity professionals for the challenges they'll face in our industry?
I mention that the cybersecurity landscape is in a state of constant flux. Internal training allows for individuals to be prepared for the cases they handle, and their strengths allow for leaders to put forth the right person for the right job.
Internal training allows for leaders to understand their direct reports skill set and work to enhance the good skills and bring the poor skills to par. Having a robust training library with a good testing idea, maybe something like a CTF, you can get direct results to work place training. Every year at the end of the intern summer, we think of ways we can make it better for next year. One of the ideas we are floating around is the idea of giving them an entry-CTF and an exit-CTF. The same questions will be asked with the answers being found in similar but different locations for each artifact. This would allow us to see directly what they have learned over the summer and seeing the rise in their skills.
I just realized that I might not have previously mentioned what a CTF is. A CTF, Capture the Flag, is a skills test that have become very popular in the cybersecurity industry for students or training environments. Some CTFs are narrowly focused on pentesting skills like "Hack The Box" and "Try Hack Me." Whereas others are much more diverse and test a larger set of skills like CyberSkyline's National Cyber League. I should also mention that there are collegiate cyber competitions such as the National Collegiate Cyber Defense Competition. All of these are great places to start learning hands on skills for the cyber world and one of the biggest things that I advocate my interns and mentees to take heavy part in. I even have a team available for people to join on the National Cyber League as a way for me to help people understand different skills they are working on.
How does mentorship within an organization contribute to the professional growth and development of individuals pursuing a cybersecurity career?
I talk about my definition of mentorship which is two people elect to be a team to help the mentee grow through challenge. This mentorship is directly tied to the fostering of an innovating career.
The bigger thing that I talked about was looking beyond. So often I see early-in-career folks, and honestly just humans in general, just think of solutions to problems only one step ahead. Outside the cybersecurity world, this would look like your neighbors being upset about someone speeding down a road in the neighborhood. So they decide the best argument to stop this is to install speed bumps. On the surface, no pun intended, this will work. However, the neighborhood only has one major road in and out and the installation of speed bumps would drastic increase the response time of emergency services. In the cybersecurity world, we have the benefit of having things the MITRE ATT&CK framework, which helps individuals to see what has already happened on their systems and then look at what threat actors could or would typically do next. Every decision we make has ripples and during this mentorship, the mentor should help the mentee understand the ripples as well as learn to predict them. Years ago when Ukraine was having cyberattacks against them, I predicted that this was a precursor to a Russian invasion, mainly because we had seen it before. However, that experience is what helps me understand a threat actors behavior.
I also talked about drones. Some might call these people ticket jockeys as they just wait for an alert to appear or for a ticket to come in for them to investigate. You will typically see these individuals in Security Operations Centers and for early-in-career people, this is just fine. However, that mentorship should challenge them to move beyond just the response and closer to the hunt. You want people to innovate defense. You want people to innovate response. Likewise, you want people to think for themselves and to help themselves. Bill Gates is attributed as saying “I choose a lazy person to do a hard job. Because a lazy person will find an easy way to do it.” While this on the surface goes against what I am saying, I believe it reinforces it. He is talking about the automation of task and a lazy person seeing that they have a repeatable task and finding a way to automate it to reduce their work load. That is what you want.
How can organizations create a culture that encourages both experienced and junior cybersecurity professionals to participate in mentorship programs?
This is a hard question to answer. In the podcast I said it should be a requirement, but I know it can't be. At least not for everyone. I think getting the experienced individuals to be involved would be the harder item as they have a work pattern, they feel comfortable in their knowledge set, and they want to continue to rise in their career. So the more I think about it, I would say that to be a mentee, you would also need to be a mentor after a certain level. For instance, if an experienced practitioner wanted to be mentored in leadership skills or business development, they would also have to mentor someone junior to them. I also think that mentoring time should be awarded up to an hour a week. For us, it could count as a billable hour, but just billable to the company not a client.
For the more junior folks, I think that they have a hunger to learn and be mentored that the older ones don't so I do not think it would be as hard to get them involved. However, I still think they should be incentivized to join the program with something about the amount of time spent at the end of the year. I am hesitant to offer a cash incentive for this as they should be the sponge, but to encourage growth, something should be offered.
Both of these things should be implemented because as you see in the news, there are roughly 750,000 open cybersecurity positions in the US each year and the need to fill them doesn't go down. Threat actors only need to be right once, we have to be better than that.
What advice would you give aspiring cybersecurity professionals who want to make the most of internal training and mentorship opportunities to advance their careers?
If you have it, you must share it. If you want it, you must ask for it. It is that simple. We do not horde knowledge like a dragon, unwilling to share with anyone. We give it out as to make our jobs easier and how domain stronger.
When you think about times you have been mentored, what did you get out of those relationships?
Communication plays a much larger role in cybersecurity than I think most people expect. I am not talking about communicating to each other, but with a wider audience of varying knowledge levels. Being able to take these highly complex, very technical issues and make them digestible to the mentees and broader audience is a skill. It is also a skill that some people do not want to work on and that is fine. However, the ability to do it will open a lot of doors for those early-in-career and not in industry.
Is there a moment in your mentorship that really stands out?
I told this story in the podcast and in A Philosophical View on the Responsibilities of Leadership so I won't repeat it here in full, but the long story short is "Praise in public, punish in private."
However, if you latch on to anything in this post or the podcast it should be this. "If your team or someone on your team does something spectacular, you tell the world." You want this to encourage them to continue to innovate, to continue to thrive, and continue to be better. So you highlight that, even if it is the 1000th time.
Conclusion
The last question is "What do you want our listeners to remember from this conversation?" and my answer is simple. You are responsible for yourself. If you are unhappy with where you are at, look into why and make the changes. Sometimes that change might be hard, but life is about change and change is how we grow. You are responsible for your knowledge.
Want to get a hold of me?
Email | [email protected]
Discord | Mimir Cyber
The Official Mimir Cyber Discord Channel. It is the duty of those with knowledge to spread to those who ask for it. This is a place for individuals new or old to the cyber industry to get or provide support for other learning their way forward. No question is too small.
Member discussion: